Designing Packet Filtering Firewall Rules And Understanding Advantages/Disadvantages

Objective: be able to design packet filtering firewall rules and identify advantages/disadvantages of such firewalls

a.

Figure 1: Network Diagram

b.

1. Frist rule allows one of the partners organization to establish the SSH connection and transfer the files using the TCP based connection
2. Frist rule allows one of the partners organization to establish the SSH connection and transfer the files using the TCP based connection
3. Rule third will allow the traffic from the staff subnet to connect the DMZ for HTTP/HTTPS based packets
4. Rule 4 will allow the traffic from the student subnet to connect the DMZ for HTTP/HTTPS based packets
5. Rule 5 will allow the traffic from the research subnet to connect the DMZ for HTTP/HTTPS based packets
6. Rule 6 will allow the traffic from the research unit to communicate to the DMZ based mail server using the SMTP protocols.

c.

This rule will allow professor with subnet from 104.55.0.0/16 having any IP to access the network DMZ using the TCP protocols.

a). MAC Address Filtering

The MAC filtering is a technique in which the wireless devices are being filtered based on their MAC addresses. It enables the network administrators to specify who is allowed in the network and blocking any other device apart from the list of devices. It is a free service provided by many wireless routers and AP as an inbuilt feature.

What Does a MAC Filter Do and Security?

As the inbuilt feature, it has the capability to either whitelist or blacklist the system on the network based on their MAC address. The configuration can be done further on the allowed systems. The whitelist is better than the blacklist as the systems who are there in whitelist are the ones who are allowed in the system this provides better security than blacklist. The MAC address filtering then matches every device that want to access the network, if the device is not listed then the MAC addressing would block the device from joining the network. (Hassan, & Zhang, 2011)

Limitations of MAC address filter

If there is a new device on the network you need to add the device to the whitelist in order to allow the device to connect to network. The MAC addresses are also needed to be updated, but this updating is needed for any type of device, be it wired or wireless.

The MAC filtering will be useless in case of Hacker Spoofing the MAC addresses that are there on the whitelist in order to connect to the network. To get this information the hackers use the specialized program called as sniffer that intercepts the data flowing over the network and sniff the MAC addresses that are communicating with the devices.

b). How the key is calculated

WPA is the advancement of WEP method that was used to connect to the wireless AP using the pre-shared key. The WPA-PSK came as an advancement of WEP and was supported by many devices, older devices needed a firmware upgrade that allows the older devices to become compatible with WPA. Now for the key, it works with TKIP and AES, for the AES which works on 256-bits key. This key is either in 64 hexadecimal numbers or 8-64 ASCII characters. If we use the ASCII based characters that is being mostly used by home based users, then the 256-bit key is calculated by applying the PBKDF-2 derivation function to derive the key based on the passphrase then SSID is used as the salt and 4096 iterations of HMAC-SHA1 is used. (Hassan, & Zhang, 2011)

Objective: Understanding important challenges with securing WiFi networks

Brute Force attack on WPA

As the WEP, the WPA remain susceptible to the cracking attacks. These attacks are much more successful if the password or passphrase chosen is weak. In order to be secure from any of the brute force attack we should have random characters as our password, but since we cannot remember the random keys we use much more stronger keywords which are generally not being found in the dictionary. The length recommended to be safe form brute force attack is 20 characters which are chosen from the 95-allowed character set.

1. Recommendations

• The Password should have an expiry date means the password should expire and you should not be able to use the same string in any manner and create a totally random password for the next period. The advantage of this is that new passwords makes the brute force and other similar types of attacks nearly impossible and disadvantage being you need to memorize the newer password every now and then. (Yang, Chu, Li, Petrovic, & Busch, 2014)
• Do not use dictionary or any information in your password, the advantage being hackers would not be able to guess your password using the dictionary and your personal info, the disadvantage being difficult to remember these types of password.
• We should use multi factor algorithm to confirm the user’s identity. The advantage being we are creating additional layer of security over the password but the limitation would be, we need to have the cell phone on which the OTP is going to be received.

b.

• There should be no dictionary words or common phrases
  • Advantage: the hacker would not be able to run the dictionary attack and the password is much more secure.
  • Disadvantage: the random characters are difficult to manage and memorize hence user can forget them very easily.
• You should not include any personal information in your password like birthdate, birth year, location, favorite band or music etc. As these are personal information being available to everyone over the social media, hence we should refrain from using such information in our password which are easy to guess or obtain.
  • Advantage: secure password
  • Disadvantage: difficult to remember and build random password that is not that easy.
• Use special character set in your password but Numerals or special characters cannot be used more than once in regular interval
  • Advantage: A jumbled password that is very difficult to guess
  • Disadvantage: difficult to build a password with such complexity.

1. Password Managers

As the password managers take the load off the user to do the productive work rather than to remember the different passwords for the websites. The password manager fills the password randomly when you visit a website for the first time after the authentication of master password being fed into the system. You can configure to fill other details as well like address, email etc. automatically. The password manager generates the random passwords to secure them from any types of attacks. The password manager can help to mitigate the phishing attacks as the password is only revealed on the website for which it has been made else new password creation is prompted hence, making user aware of different URL being used as a phishing attack.  (Onno, Neumann, & Heen, 2012)

Password managers are the tools that assist in managing the passwords, the assist include the password generation, password storage and retrieve the password from the database. There are two types of password managers:

1. Locally Installed
2. Online based services

Based on the password manager installed the services are being provided, like encrypted database, password storage in encrypted format, the password files stored locally or remotely via online file hosting service like Dropbox. The password managers usually require one master password that allows the users to access all the information about all the saved information in the password managers. (Onno, Neumann, & Heen, 2012)  

d.

Major Advantages of Password Managers

1. The password generated are completely random and difficult to guess by any other software. It does not require any modification to the application to make the password manager to work with it.
2. The password is stored as encrypted format in the database that means no one but only you can access the passwords.
3. It saves you from leaking out the same passwords being used at every website, this means you can have different passwords generated and can link to single password using the password manager. (Yang, Chu, Li, Petrovic, & Busch, 2014)

Major Disadvantages of Password Managers

1. Many passwords save the passwords in plaintext that could be easily read making it vulnerable to hacks. The password files stored locally could be deleted which means you need to reset the password for all the websites again, it is recommended to save the file backup on the remote location.
2. The master password if leaked or guessed easily it will open all the doors for the hacker and none of the passwords would remain secured.
3. The multi-factor authentication would add an additional layer of security but require another device to receive the OTP to verify the device.
4. If password generator works over the Dictionary or uses the weak random passwords in place of cryptographically secured passwords then they would easily hackable.
5. Comparing web-based VS standalone Password Managers

This is the most used password manager in the world, as per the services, it have all the services that are being found in most of the password managers but the services introduced were either forefront of pioneering or have signification improvements in features than any other competitor in market. The passwords generated are of top quality and are not susceptible to brute force attacks.

The LastPass is a browser extension, it stores the files on the secured location remotely and some of the features works over the offline mode as well. The password database is secure and once downloaded it is decrypted on the device itself, hence no plaintext passwords are being communicated. This feature also allows the user to access the passwords locally without the internet connections. The disadvantage being is dependendency over the internet connection to sync else it will not work.

Objective: Understand what makes a strong password, and the difficulties of using passwords for most users

As the security is an issue the people refrain from storing the data online, and storing the passwords on cloud is another challenge to make the user understand the various advantages of this feature.

The KeePass is the right software for such people that not make the strong passwords but store the entire password database locally on the machine on which it is being installed. Though the database of the KeePass can be synced over the internet using the Dropbox feature but this needs the password file to be uploaded on the cloud which is the biggest disadvantage of such system. (Agholor, Sodiya, Akinwale, & Adeniran, 2016)

the Standalone password managers generally store the password locally on the system, in order to sync them we can use two approaches one being the cloud based storage other being the storage in the email backup. Both of them will provide the required security to the database as the standalone password generator would store the files in encrypted format and hashed checked, anything altered or manipulated the file authenticity is failed and is being synced from the local backup and vice versa. (Agholor, Sodiya, Akinwale, & Adeniran, 2016)

After deploying the topology 5 we now setup the node 3 as the myuni website using the command sudo bash ~/virtnet/bin/vn-deployrealmyuni. After this command, the myuni website is installed on the system and is activated but it is not secure.

1. attached
2.  

b.

c.

1. 443
2. AES
3. RSA
4. RSA and SHA-256
5. as most of the protocols include the CA certificate and leaf certificate with their respective signatures. This case we only need to know and verify the root certificate that has the valid matching signature, this is how current browsers need not download the CA first to have SSL based connections.

1. As the data packets travel from one location to another it contains the IP address of source and destination as well as the physical address. This physical address can be used to get details about the C and S both. With Nmap command to either of the system can get back with the installed operating system on the host machine. Using IPtarce the malicious user can get the entire path to the either of the systems.
2. if the NAT traversal is used then malicious user may not be able to get the physical address or the exact address of the C but would be able to get the path to the C using the IPtrace but that would not be as effective as the without NAT case.
3. When C and S communicate using the VPN they create the tunnel among them, so anything outside the tunnel doesn’t exists. So if malicious user if captures the packets even then it won’t be able to make any use out of it as the packets are encrypted and malicious user cannot decrypt the packet.
4. Reduce Performance: the packet is needed to be encrypted and decrypted at both the ends for the communication over the VPN hence encryption and decryption takes a toll over the performance as lot of time is needed to secure the packets.  

Trust over VPN: the VPN is the ultimate secure channel and the trust is necessary so that C and S can communicate without any issues and worries, but if the VPN is being hacked and malicious user would be able to read all the data and VPN won’t make any difference (London Trust Media, 2017)

VPN server logs: the malicious user might request or able to get hold of VPN server logs, these logs contain about all the IP that have communicated with each other hence might lead to leakage of information that have been communicated over the secure channel.

1. the main aim of the tor is to separate the routing and identifying properties from each other, this helps in escaping any type of surveillance and traffic analysis by any malicious hacker. It encrypts the packets and bounce the packet over a random path of relays that are being run by volunteers around the globe leading to most secure possible communication as data may even not pass through the Rm malicious router node using the Tor Browser. (London Trust Media, 2017)

1. Advantages of Tor Vs VPN

• it doesn’t need to trust any path, all paths are totally random in nature
• your ISP is not able to track your activities so completely anonymous
• more secured compared to VPN as it encrypts the packets and bounce the packet over a random path of relays that are being run by volunteers around the globe leading to most secure possible communication as data may even not pass through the Rm malicious router node using the Tor Browser. (London Trust Media, 2017)

1. Disadvantages of Tor Vs VPN
2. tor is often blocked by many websites hence you might not be able to browse the website at all.
3. Too slow for P2P networking, due to the fact the packets are route from different routes all the time, the P2P becomes lot slower
4. No protection from Tor-malicious nodes, the nodes might capture the packet and read and modify as required for further ahead communication or response.

References

Agholor, S., Sodiya, A., Akinwale, A., & Adeniran, O. (2016). A secured Mobile-Based Password Manager. 2016 Sixth International Conference On Digital Information Processing And Communications (ICDIPC). https://dx.doi.org/10.1109/icdipc.2016.7470800

Arash Habibi Lashkari, Mir Mohammad Seyed Danesh, & Samadi, B. (2009). A survey on wireless security protocols (WEP, WPA and WPA2/802.11i). 2009 2Nd IEEE International Conference On Computer Science And Information Technology. https://dx.doi.org/10.1109/iccsit.2009.5234856

Hassan, A., & Zhang, X. (2011). Bypassing web-based wireless authentication systems. 2011 IEEE Long Island Systems, Applications And Technology Conference. https://dx.doi.org/10.1109/lisat.2011.5784246

London Trust Media, I. (2017). Advantages and Disadvantages of Tor vs VPN vs Proxy. Privateinternetaccess.com. Retrieved 29 May 2017, from https://www.privateinternetaccess.com/pages/tor-vpn-proxy

Onno, S., Neumann, C., & Heen, O. (2012). Conciliating remote home network access and MAC-address control. 2012 IEEE International Conference On Consumer Electronics (ICCE). https://dx.doi.org/10.1109/icce.2012.6161758

Shrestha, N., & Posts, V. (2017). 12 Tcpdump Commands – A Network Sniffer Tool. Tecmint.com. Retrieved 29 May 2017, from https://www.tecmint.com/12-tcpdump-commands-a-network-sniffer-tool/

Yang, B., Chu, H., Li, G., Petrovic, S., & Busch, C. (2014). Cloud Password Manager Using Privacy-Preserved Biometrics. 2014 IEEE International Conference On Cloud Engineering. https://dx.doi.org/10.1109/ic2e.2014.91

Order an Essay Now & Get These Features For Free:

Turnitin Report

Formatting

Title Page

Citation

Outline

Place an Order